Stealthy Golang Malware Uses Telegram Bots for C2: Possible Russian Origin

Security researchers have discovered a new strain of Telegram C2 malware built using Golang. This backdoor communicates through Telegram’s Bot API to stay hidden, execute commands remotely, and persist on compromised systems , all while evading traditional detection methods.

But its also capable of executing multiple commands via an attacker-controlled Telegram channel. Indicators suggest a possible Russian origin, based on linguistic clues embedded within the code.

How the Backdoor Works

The malware, compiled using the Go programming language, behaves like a typical backdoor once deployed. Upon execution, it checks whether it is running from a specific file path and name:

makefile

CopyEdit

C:\Windows\Temp\svchost.exe

If it’s not already located there, the malware copies itself to that path, spawns a new process from the copied version, and terminates the original instance—likely to evade sandbox detection or thwart analysis tools.

This self-replication step is a standard tactic among advanced persistent threats (APTs) aiming to blend in with legitimate Windows processes.

Telegram-Based C2 Infrastructure

What sets this malware apart is its use of Telegram’s Bot API, a technique that provides attackers with an easy, encrypted, and cloud-resilient channel for remote control.

Using an open-source Golang library that integrates with the Telegram API, the backdoor communicates with a Telegram bot controlled by the threat actor. Once active, the bot listens for specific commands sent via the Telegram chat, enabling remote execution.

Currently, the malware responds to four distinct commands (though not all are fully implemented yet):

• /cmd – Executes arbitrary PowerShell commands and sends the output back to the Telegram channel.
• /persist – Ensures the malware relaunches from the predefined path, maintaining persistence.
• /screenshot – Returns a placeholder message (“Screenshot captured”), but the actual screenshot functionality appears to be unfinished.
• /selfdestruct – Deletes itself from the system and terminates the running process, providing a built-in kill switch.

Interestingly, when the /cmd instruction is issued, the malware prompts the attacker with a message written in Russian, suggesting the developer or intended operator may be Russian-speaking.

Why Telegram?

Telegram offers several advantages for threat actors:

• Ease of setup – Creating and managing bots is straightforward and requires no infrastructure.
• Encrypted communications – Built-in encryption makes it harder for defenders to monitor traffic.
• Blending in with normal traffic – Because Telegram is widely used and cloud-based, it’s often whitelisted in corporate environments.

“The growing reliance on cloud platforms like Telegram for malicious C2 operations underscores the evolving nature of cyber threats,” noted Netskope researcher Leandro Fróes. “Attackers exploit the convenience and trust of these platforms to stay under the radar.”

FAQ

1. What is a Golang-based backdoor?
A Golang-based backdoor is malware written in the Go programming language designed to give remote access to an attacker.

2. How does Telegram’s Bot API help hackers?
It provides an encrypted, cloud-based way to send and receive commands, making detection and blocking more difficult.

3. Is this malware currently in the wild?
Yes, though it appears to be under development, it is already capable of executing several live commands.

4. Why is using Telegram for C2 operations effective?
Telegram traffic often goes unnoticed in enterprise environments and requires no infrastructure setup by the attacker.

5. How can organizations defend against such malware?
By monitoring unusual Telegram bot activity, restricting cloud app access, and using behavior-based detection tools.